On December 28, the New York Department of Financial Services (“NY DFS”) released its highly anticipated revised cyber security rule. As we previously noted here, the proposed regulations would require banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks.
The NY DFS’s proposal sparked widespread backlash from the banking industry, and the New York financial regulator received over 150 comment letters from affected parties, including banks, insurers, and money service businesses. Critics railed against the proposed regulation as being too strict and untenable as to certain specifics regarding cybersecurity programs, for increasing monitoring of third-party vendors, and for appointing a chief information security officer.
In response, the NY DFS made a number of changes to the proposed regulation. Perhaps most favorable to financial institutions, money transmitters, insurance companies, and other covered entities is the Department’s decision to provide more risk-based controls related to cybersecurity programs, penetration testing, vulnerability assessments, audit trails, access privileges, encryption, and multifactor authentication. The original proposed rule provided more prescriptive minimum rule-based controls that offered less flexibility for covered entities. The shift to more risk-based controls comports more closely with federal Gramm-Leach-Bliley Act (“GLBA”) requirements that the specific controls employed be in line with the size and sophistication of the regulated entity.
Other notable changes include:
- Requiring that risk assessments be performed “periodically” rather than annually as mandated in the original regulation;
- Requiring that the company’s cybersecurity plan be reviewed and approved by either a senior officer or the board of directors, and not both as called for in the original proposal;
- Creating a “limited” small business exemption for covered entities that have fewer than 10 employees, less than $5 million in gross annual revenue, or under $10 million in year-end total assets;
- Clarifying that businesses only need to ensure that someone is performing the duties of a chief information security officer, and that they don’t need to dedicate an employee exclusively to these activities;
- Allowing companies to forgo encrypting nonpublic information and to use a different control when it finds such encryption to be “infeasible”; and
- Narrowing the notification trigger by limiting required reporting to events that the business is already required to report to other regulators or supervisory bodies and that have “a reasonable likelihood of materially harming any material part of the normal operations” of the institution. The revised rule also extends the deadline for compliance to March 1, 2017 from its previous deadline of January 1, 2017. Even with the new changes, critics may still not be satisfied. For example, the NY DFS rejected a request from a number of commentators that the proposed regulation should harmonize more closely with other standards, including state, federal, and international standards – both existing and proposed. In response to these criticisms, the NY DFS stated that it “has been continually mindful of other standards and approaches and believes that the revised regulation is appropriately consistent with the goal of setting minimum standards.” The updated regulation will be finalized in January following a 30-day notice and public comment period, and will become effective on March 1, 2017.